Still seems like there’s a good opportunity to abstract away IAM policies in Pulumi, e.g. define a link between a lambda and another lambda, or an S3 bucket, and immediately get generated for you: • sensible and customizable IAM policies (e.g. invokeLambda, getObject) • environment variables in the lambda (ARN of other lambda or s3 bucket name)